JiwaAI
Blog
โ†All posts
southeast-asia
product-design
engineering
ai

Why We Replaced Google Login with a WhatsApp OTP

Jiwa AI Teamยท

The Login Screen Nobody Could Get Past

We launched with Google OAuth. It checked every box on the startup playbook: secure, familiar, one-click sign-in, no passwords to manage. For a team of engineers who live inside Google Workspace, it felt like an obvious choice.

Then we watched our first batch of UMKM owners try to use it.

A warung owner in Surabaya stared at the "Sign in with Google" button, then asked us which Google account she should use โ€” she didn't have one. A fashion reseller in Bandung had a Gmail address but couldn't remember the password because she only uses it to receive marketplace notifications. A food vendor in Medan tapped the button, got redirected to Google's consent screen, and thought the site was broken.

We had built a front door that our target users couldn't open.

The Gap Between "Industry Standard" and "User Reality"

Google OAuth works beautifully in ecosystems where everyone has an active Google identity. In the tech world, that's nearly universal. But Indonesia's sixty-five million small business owners don't live in that ecosystem.

Their digital life runs through two apps: WhatsApp and their bank's mobile app. Many acquired a smartphone without ever creating a Google account โ€” they use WhatsApp for everything from customer orders to supplier coordination. Some have a Google account tied to their phone but have never typed a password for it and wouldn't know how to authenticate through an OAuth flow.

This isn't a literacy problem. These are savvy business operators who manage inventory, negotiate with suppliers, and coordinate delivery riders โ€” all through WhatsApp messages. The problem was that we chose an authentication method that assumed a digital identity our users didn't have or didn't actively use.

From Magic Links to OTP: Two Iterations in One Week

Our first fix was WhatsApp magic links. The user would message our WhatsApp bot, and we'd reply with a one-time login URL. It worked, but it introduced friction we hadn't anticipated: users had to leave WhatsApp, open a browser, tap a link, and hope the redirect chain landed them on the right page. Some users couldn't figure out why they needed to message a bot just to log in. Others copied the link and pasted it into the wrong app.

Within days, we iterated again. The current flow is straightforward: open the login page, enter your phone number with a country code selector, tap "Send OTP," and type in the six-digit code that arrives on WhatsApp within seconds. No redirects. No bots. No Google accounts.

The country code selector was a small but important detail. Our users span Indonesia, Singapore, Malaysia, and beyond. A dropdown with flags โ€” the same pattern they see on e-commerce checkout pages โ€” immediately communicated that international numbers work.

What We Lost (And Why It Didn't Matter)

Dropping Google OAuth meant giving up some conveniences. We lost the ability to pull profile photos and display names automatically. We lost the implicit trust signal of "Sign in with Google" that tech-savvy users recognize. We lost the simplicity of delegating password security entirely to Google.

But we gained something far more valuable: a login flow that one hundred percent of our target users can complete without hesitation. The phone number is the one universal identifier in Southeast Asian commerce. Every UMKM owner knows their number by heart. Every one of them has WhatsApp installed and active. The OTP pattern is already familiar from banking apps, ride-hailing services, and marketplace logins.

We also gained a direct communication channel. The phone number used to log in is now the same number we use to deliver content previews, dashboard links, and post notifications. No separate "add your WhatsApp number" step during onboarding โ€” we already have it.

Sessions That Respect How People Work

One concern with OTP-based login is the annoyance of re-entering codes. We addressed this by configuring sessions to persist for thirty days. A warung owner who logs in once on their phone stays logged in for a month. They bookmark the dashboard or tap a WhatsApp notification link, and they're immediately in their content calendar.

This matches how our users actually interact with tools: intense bursts of activity (reviewing posts, approving content) separated by days or weeks of running their business. Nobody wants to re-authenticate every time they check their Instagram content calendar.

The Lesson: Build for the User You Have, Not the User You Imagine

The Google OAuth decision came from our engineering instincts. The WhatsApp OTP decision came from watching real users. Both were technically sound choices โ€” but only one actually served the people we're building for.

If you're building for emerging markets, audit every assumption that comes from Silicon Valley playbooks. The "best practice" for a SaaS tool targeting developers in San Francisco might be the worst practice for small business owners in Jakarta. The technology matters less than whether your user can get through the door.

We're continuing to strip away every friction point between an UMKM owner and their AI-powered marketing content. The login screen was just the first wall to tear down.